[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Firewall/Shorewall question
Here's my problem:
In /var/log/messages:
Jul 19 21:06:46 all2all:REJECT:IN= OUT=eth0
SRC=A.B.C.D DST=128.206.12.154
LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=123 DPT=123 LEN=56
This tells me that the all2all chain is rejecting my NTP traffic from my
firewall to the NTP server (128.206.12.154). The SRC address (A.B.C.D) is my
external gateway IP.
I cannot figure out why this isn't going through from my config below. Can you
see something I'm missing here. I've been staring at it for too long.
Mike/
Here's my config:
# Shorewall 1.3 /etc/shorewall/zones
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
wap WAP Wireless Access Point
--
# Shorewall 1.3 /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,dropunclean,blacklist,filterping,routefilter
loc eth1 192.168.1.255 dhcp
wap eth2 192.168.2.255 dhcp,dropunclean,blacklist,filterping,routefilter
--
# Shorewall 1.3 /etc/shorewall/policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc wap ACCEPT
loc fw REJECT
wap net ACCEPT
wap fw REJECT
net all DROP info 10/sec:40
all all REJECT info
--
# Shorewall 1.3 /etc/shorewall/common
source /etc/shorewall/common.def # Include common.def
run_iptables -A common -p udp --sport domain -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport auth -j REJECT
--
# Shorewall 1.3 /etc/shorewall/routestopped
#INTERFACE HOST(S)
eth1 192.168.1.0/24
# Shorewall version 1.3 /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
# Local Network to Internet
ACCEPT loc net udp ntp
# Reject attempts by trojans to call home
REJECT:info loc net tcp ircd
#
# Local Network to Firewall
ACCEPT loc fw tcp ssh
ACCEPT loc fw tcp time
ACCEPT loc fw tcp domain
ACCEPT loc fw udp domain
ACCEPT loc fw udp ntp
#
# Local Network to WAP
# Globally allowed by policy
#
# Internet to WAP
#ACCEPT net wap tcp www
#ACCEPT net wap tcp smtp
#ACCEPT net wap tcp ftp
#ACCEPT net wap tcp auth
#ACCEPT net wap tcp https
#ACCEPT net wap tcp imaps
#ACCEPT net wap tcp domain
#ACCEPT net wap udp domain
#ACCEPT net wap tcp cvspserver
#ACCEPT net wap icmp echo-request
#ACCEPT net wap tcp rsync
# Allow ICQ chat and transfers
#ACCEPT net loc tcp 4000:4100
#
# Internet to Local
# Next line allows ICQ chat and transfers
ACCEPT net loc tcp 4000:4100
ACCEPT net loc tcp auth
REJECT net loc tcp www
#
# WAP to Internet
ACCEPT wap net icmp echo-request
ACCEPT wap net tcp smtp
ACCEPT wap net tcp auth
ACCEPT wap net tcp domain
ACCEPT wap net udp domain
ACCEPT wap net tcp www
ACCEPT wap net tcp https
ACCEPT wap net tcp whois
ACCEPT wap net tcp echo
ACCEPT wap net udp ntp
#ACCEPT wap net:$NTPSERVER udp ntp
#ACCEPT wap net:$POPSERVERS tcp pop3
#
# WAP to Firewall
ACCEPT wap fw tcp snmp
ACCEPT wap fw udp snmp
#
# WAP to Local
# Globally disallowed by policy
#
# Internet to Firewall
#ACCEPT net fw tcp 1723
#REJECT net fw tcp www
# Just to avoid logging these clowns
REJECT net fw tcp ms-sql-s
REJECT net fw tcp smtp
REJECT net fw tcp ftp
#
# Firewall to Internet
#ACCEPT fw net:$NTPSERVER udp ntp
ACCEPT fw net udp ntp
ACCEPT fw net tcp domain
ACCEPT fw net udp domain
ACCEPT fw net tcp www
ACCEPT fw net tcp https
ACCEPT fw net tcp ssh
ACCEPT fw net tcp whois
ACCEPT fw net icmp echo-request
# Firewall to WAP
# Globally allowed by policy
#
##############################################################################
# The following compensates for a bug, either in some FTP clients or in the
# Netfilter connection tracking code that occasionally denies active mode
# FTP clients.
ACCEPT:info loc net tcp 1024: ftp-data
ACCEPT:info wap net tcp 1024: ftp-data
#
##############################################################################
# LOC protection
DROP net loc tcp nfs
DROP net loc udp nfs
DROP net loc tcp xfs
DROP net loc tcp x11:6009
DROP net loc tcp printer
DROP net loc udp printer
DROP net loc tcp sunrpc
DROP net loc udp sunrpc
#DROP net loc tcp microsoft-ds
#DROP net loc tcp netbios-ns
#DROP net loc tcp netbios-dgm
#DROP net loc tcp netbios-ssn
#
##############################################################################
# WAP protection
DROP net wap tcp nfs
DROP net wap udp nfs
DROP net wap tcp xfs
DROP net wap tcp x11:6009
DROP net wap tcp printer
DROP net wap udp printer
DROP net wap tcp sunrpc
DROP net wap udp sunrpc
#DROP net wap tcp microsoft-ds
#DROP net wap tcp netbios-ns
#DROP net wap tcp netbios-dgm
#DROP net wap tcp netbios-ssn
Mike
--
() Join the ASCII ribbon campaign against HTML email and Microsoft-specific
/\ attachments. If I wanted to read HTML, I would have visited your website!
Support open standards.
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.